Advice on assessing security risks in your supply chain

December, 2018
5 mins read

This article provides guidance designed to help you reduce time spent on paperwork, spot the alarm signals and enable you to work positively and collaboratively with your supply-chain partners, rather than dictating unrealistic terms or compromising on security. The advice has been anonymized to protect the organization’s security.

Don’t just tick a box – visit your supply partners personally

Asking your suppliers to leaf through multiple pages of a questionnaire and tick millions of boxes doesn’t prove security. Paperwork on both sides could be greatly reduced, and the saved time could be much better spent simply speaking face to face. You get the opportunity to see what the security is like around your organization’s assets – are there enough controls in place? Can anyone see what’s going on and access your data? You’ll learn very quickly how to spot the alarm bells.


It’s not only an absence of controls you should be looking for – even if there is some security in place, it might be dreadfully inadequate or out-of-date. We’ve had experiences where suppliers have fanatically enforced over-prescriptive controls around what color paper is used and obsessive password changing.


And of course, if a critical supplier refuses to let you visit, that (probably) tells you everything you need to know.


What to look for and key questions to ask your suppliers

On a visit we’re looking for evidence of a security governance programme which includes both physical and personnel security measures, and some data loss prevention mechanisms.


Examples of key questions:

  • What level of independent testing do you do? When was your last pentest? Who performed it?
  • How do you manage risk from your third-party suppliers? How do you ensure conformity with your standards?
  • How and where is your hardware and software designed, managed and maintained?


When asking questions, make sure you’re speaking to the right people – such as compliance, legal or the back end of the organization. If you’re sat in a room with a salesperson or account manager, it’s a red flag. If you don’t get answers to all your questions on a site-visit, we’d recommend what we call ‘the sniff test’ – invite one of your trusted independent partners to carry out an open-source intelligence review.


Illuminate your supply-chain beyond your top suppliers

We have around 1000 top-tier suppliers, but the real risk can also lie beyond these in the 5000+ subcontractors, support services and extended supply chain partners.


For example, we looked into the security of our corporate travel booking service. We discovered that we were using the same service as one of our partner organizations, and that the itinerary information could be cross-referenced to determine that we had a relationship with that party. For us, this information is highly sensitive and must be protected.


We looked into the provider’s supply chain to assess the risk posed by their own vendors – it really was illuminating. There were at least ten more suppliers ranging from car hire, rail bookings, travel expenses, hotel bookings, visa services – and these services operated out of ten countries spanning four continents. Beyond the travel services partner, there were multiple suppliers we needed assurance on from our travel partner.


This is a specific example relevant to our industry and risk factors. For others, travel plans may not be as sensitive – unless there is a major deal yet to be announced or a merger/acquisition underway.


Adjusting your approach to the level of risk

Taking the most thorough approach to every single supply partner is not feasible, or frankly, sensible. To operate efficiently in the real world, you must take on a certain level of risk.


Much like internal network segregation, we group suppliers into tiers based on the nature of the service they provide and our appetite for risk in relation to the data they hold. For high-risk suppliers, we may visit them on a regular basis, but for lower tiers we may only visit once, or send our organization’s supply chain assessment document. Geographical region also plays a part in this. Some regions have excellent security programs and a willingness to conform to any requirements – one supplier in India physically partitioned part of a floorplate overnight specifically to protect our data from those not working on the project.


Encourage good security practice with your suppliers

Above all, we want our suppliers to be open and honest with us, not to hide information from us because we are bearing down on them with demands. When it comes to security, some of the smaller suppliers simply don’t know where to start. Some years ago, I asked a small supplier when their last pentest was – this question was met with a confused ‘What’s a pentest?’


Needless to say, when we organized an independent test for them, it revealed that they could be compromised in – almost literally – three mouse clicks. But this gave them the springboard they needed to act and improve security for all their customer data – not just ours.


Ways to position support to benefit your suppliers:

  • Offer free consultancy through giving them a threat briefing
  • Offer to sponsor an independent pentest with your trusted partner
  • Offer to sponsor accreditation, membership of a security association, or access to trusted security advice


Many thanks to the organization for speaking with us about their approach.

Accreditations & Certificates

F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.

Follow us
@fsecure_consult F-Secure-Consulting f-secure-foundry fsecurelabs